Computerworld - The worst has happened. I have to cut almost half of my information security staff because, in this economy, the company is losing money faster than anybody anticipated. The cuts will include over a third of our global IT department, and even that may not be enough. We may need another round of layoffs if things don't get better soon.
This is going to have a devastating impact on our ability to provide services to the company and protect its assets. With a bare-bones staff, our IT department won't be able to roll out any new capabilities; all resources will be focused on keeping our technological lights on. It's amazing how fast things are falling apart. At this rate, I'll be lucky if there's a company to protect by the end of this year.
At issue: Layoffs are ordered, and there's no guarantee that there won't be more.
Action plan: Take stock of what the smaller team can still manage to do.
It's demoralizing. Despite my best efforts, I wasn't able to protect my staff, and now we're at risk of losing ground on everything we've accomplished. We spent all of last year establishing our fledgling information-security program. Things were starting to look up, but we can say goodbye to all that for now.
For example, we fought an uphill battle to get our IT organization on board with patching our servers, and we were just starting to see some improvement. Previously, our servers were not being patched at all. They were just being built, deployed and forgotten.
Today, about 20% of our servers are being regularly patched. They were the lowest-hanging fruit -- noncritical servers that were low risk. We were just starting to address the other 80% of our servers, but now I have grave doubts that they will be on a regular patch cycle anytime soon. It's even possible that we'll be unable to maintain the patching routine we fought so hard for.
Given the gravity of our situation, we also won't be able to keep our outsourced third-party services. And my decimated staff, already a skeleton crew before the layoffs hit, isn't going to be able to pick up the slack. In effect, we simply won't be able to do much of anything that an information security department needs to do. Day-to-day operations are going to suffer, and I certainly don't know how we'll be able to find the time to design security for new projects. Oh well, that's something I probably shouldn't worry about too much, since chances are slim that there will be many of those this year. After taking one long, challenging step forward, we're taking two big, fast steps backward.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
